4. What software specifically will you be assigning CVEs for (this can be everything you ship, or a limited subset, either way the DWF will require a list of names at a minimum, ideally with URLs to the software)

5. You must provide a public method (e.g. no login required) for published CVEs (e.g. product ChangeLog or a security page with a list of CVEs and minimum information as specified in the CNA Rules)

6. You must have an email/web page for people to report security issues in your covered products that may need CVEs (basically you need some sort of pre-existing security process that can at a minimum identify if something is a security vulnerability, and then assign a CVE for it that can be made public at some point)

7. How many CVEs per year you expect to need, the DWF allocates in blocks of 10, 20, 50, 100, if you consistently need more, we can assign additional blocks. If a block is unused for a long time we may return it to the DWF pool (method to be determined)

8. You must provide the DWF a minimum of one contact person on your CNA team (note that this can simply be your existing security team) and contact information in the form of an email address that they actually check (e.g. their work email address), this can be kept private if you wish, it must be kept up to date (e.g. if they leave the CNA)

9. You must have at least one GitHUB account to submit pull requests against the DWF-Database and DWF-Database-Artifacts repos